153 lines
5.1 KiB
YAML
153 lines
5.1 KiB
YAML
---
|
|
- name: Install Podman
|
|
become: true
|
|
ansible.builtin.apt:
|
|
name: podman
|
|
state: present
|
|
- name: Create a user for running the pi-hole podman container
|
|
ansible.builtin.include_role:
|
|
name: user
|
|
vars:
|
|
user_username: "{{ pi_hole_username }}"
|
|
user_password: "{{ pi_hole_password }}"
|
|
- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
|
|
become: true
|
|
become_user: "{{ pi_hole_username }}"
|
|
ansible.builtin.file:
|
|
path: "/home/{{ pi_hole_username }}/etc-pihole"
|
|
state: directory
|
|
mode: '0700'
|
|
register: command_result
|
|
failed_when:
|
|
- command_result.changed == false
|
|
- command_result.rc != 0
|
|
# This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
|
|
# changes the user of the folder to a UID only known within the container. This command basically doesn't need to
|
|
# change anything at this point so we'll ignore the error for now.
|
|
- "'set_mode_if_different' not in command_result.module_stdout"
|
|
- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
|
|
become: true
|
|
become_user: "{{ pi_hole_username }}"
|
|
ansible.builtin.file:
|
|
path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
|
|
state: directory
|
|
mode: '0700'
|
|
failed_when:
|
|
- command_result.changed == false
|
|
- command_result.rc != 0
|
|
# This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
|
|
# changes the user of the folder to a UID only known within the container. This command basically doesn't need to
|
|
# change anything at this point so we'll ignore the error for now.
|
|
- "'set_mode_if_different' not in command_result.module_stdout"
|
|
- name: Start the Pi-hole container
|
|
become: true
|
|
become_user: "{{ pi_hole_username }}"
|
|
containers.podman.podman_container:
|
|
name: pi-hole
|
|
image: docker.io/pihole/pihole:2024.03.2
|
|
restart_policy: on-failure # TODO: Doesn't restart containers on reboot for some reason...
|
|
publish:
|
|
# It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
|
|
# Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
|
|
- 127.0.0.1:5053:53/tcp
|
|
- 127.0.0.1:5053:53/udp
|
|
- 127.0.0.1:8080:80
|
|
env:
|
|
TZ: 'Europe/Amsterdam'
|
|
WEBPASSWORD: "{{ pi_hole_web_password }}"
|
|
# VIRTUAL_HOST: 'pi-hole.kleinendorst.info'
|
|
# FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
|
|
PIHOLE_DNS_: 1.1.1.1;1.0.0.1
|
|
DNSMASQ_USER: root
|
|
INTERFACE: tap0
|
|
volumes:
|
|
- "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
|
|
- "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
|
|
state: started
|
|
- name: Install certificate for pi-hole.kleinendorst.info
|
|
become: true
|
|
ansible.builtin.command:
|
|
cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
|
|
creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
|
|
- name: Set Nginx configuration
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: pi-hole.conf.j2
|
|
dest: /etc/nginx/conf.d/pi-hole.conf
|
|
mode: '0644'
|
|
notify: Restart Nginx
|
|
- name: Debug
|
|
ansible.builtin.debug:
|
|
msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
|
|
- name: Install ufw
|
|
become: true
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
- name: Set default policy (incoming)
|
|
become: true
|
|
community.general.ufw:
|
|
direction: incoming
|
|
policy: deny
|
|
- name: Set default policy (outgoing)
|
|
become: true
|
|
community.general.ufw:
|
|
direction: outgoing
|
|
policy: allow
|
|
- name: Allow forwarding in ufw
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ufw/sysctl.conf
|
|
regexp: '^#net/ipv4/ip_forward=1$'
|
|
line: 'net/ipv4/ip_forward=1'
|
|
- name: Configure firewall to allow forward requests
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/ufw
|
|
regexp: '^DEFAULT_FORWARD_POLICY="DROP"$'
|
|
line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
|
|
notify: Restart ufw
|
|
- name: Add forwarding rules for ufw
|
|
become: true
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/ufw/before.rules
|
|
insertafter: "^COMMIT$"
|
|
block: |-
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
-A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5053
|
|
-A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5053
|
|
COMMIT
|
|
notify: Restart ufw
|
|
- name: Allow all access to ssh
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: ssh
|
|
proto: tcp
|
|
notify: Restart ufw
|
|
- name: Allow all access to https
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: https
|
|
proto: tcp
|
|
notify: Restart ufw
|
|
- name: Allow all access to port 53 (udp)
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '53'
|
|
proto: udp
|
|
notify: Restart ufw
|
|
- name: Allow all access to port 53 (tcp)
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '53'
|
|
proto: tcp
|
|
notify: Restart ufw
|
|
- name: Enable ufw
|
|
become: true
|
|
community.general.ufw:
|
|
state: enabled
|